1 # Copyright (C) 2001-2007, 2009, 2010 Nominum, Inc.
3 # Permission to use, copy, modify, and distribute this software and its
4 # documentation for any purpose with or without fee is hereby granted,
5 # provided that the above copyright notice and this permission notice
6 # appear in all copies.
8 # THE SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL WARRANTIES
9 # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NOMINUM BE LIABLE FOR
11 # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
14 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 """DNS TSIG support."""
25 class BadTime(dns
.exception
.DNSException
):
26 """Raised if the current time is not within the TSIG's validity time."""
29 class BadSignature(dns
.exception
.DNSException
):
30 """Raised if the TSIG signature fails to verify."""
33 class PeerError(dns
.exception
.DNSException
):
34 """Base class for all TSIG errors generated by the remote peer"""
37 class PeerBadKey(PeerError
):
38 """Raised if the peer didn't know the key we used"""
41 class PeerBadSignature(PeerError
):
42 """Raised if the peer didn't like the signature we sent"""
45 class PeerBadTime(PeerError
):
46 """Raised if the peer didn't like the time we sent"""
49 class PeerBadTruncation(PeerError
):
50 """Raised if the peer didn't like amount of truncation in the TSIG we sent"""
53 default_algorithm
= "HMAC-MD5.SIG-ALG.REG.INT"
60 def sign(wire
, keyname
, secret
, time
, fudge
, original_id
, error
,
61 other_data
, request_mac
, ctx
=None, multi
=False, first
=True,
62 algorithm
=default_algorithm
):
63 """Return a (tsig_rdata, mac, ctx) tuple containing the HMAC TSIG rdata
64 for the input parameters, the HMAC MAC calculated by applying the
65 TSIG signature algorithm, and the TSIG digest context.
66 @rtype: (string, string, hmac.HMAC object)
67 @raises ValueError: I{other_data} is too long
68 @raises NotImplementedError: I{algorithm} is not supported
71 (algorithm_name
, digestmod
) = get_algorithm(algorithm
)
73 ctx
= hmac
.new(secret
, digestmod
=digestmod
)
76 ctx
.update(struct
.pack('!H', ml
))
77 ctx
.update(request_mac
)
78 id = struct
.pack('!H', original_id
)
82 ctx
.update(keyname
.to_digestable())
83 ctx
.update(struct
.pack('!H', dns
.rdataclass
.ANY
))
84 ctx
.update(struct
.pack('!I', 0))
86 upper_time
= (long_time
>> 32) & 0xffffL
87 lower_time
= long_time
& 0xffffffffL
88 time_mac
= struct
.pack('!HIH', upper_time
, lower_time
, fudge
)
89 pre_mac
= algorithm_name
+ time_mac
92 raise ValueError('TSIG Other Data is > 65535 bytes')
93 post_mac
= struct
.pack('!HH', error
, ol
) + other_data
100 mpack
= struct
.pack('!H', len(mac
))
101 tsig_rdata
= pre_mac
+ mpack
+ mac
+ id + post_mac
103 ctx
= hmac
.new(secret
)
105 ctx
.update(struct
.pack('!H', ml
))
109 return (tsig_rdata
, mac
, ctx
)
111 def hmac_md5(wire
, keyname
, secret
, time
, fudge
, original_id
, error
,
112 other_data
, request_mac
, ctx
=None, multi
=False, first
=True,
113 algorithm
=default_algorithm
):
114 return sign(wire
, keyname
, secret
, time
, fudge
, original_id
, error
,
115 other_data
, request_mac
, ctx
, multi
, first
, algorithm
)
117 def validate(wire
, keyname
, secret
, now
, request_mac
, tsig_start
, tsig_rdata
,
118 tsig_rdlen
, ctx
=None, multi
=False, first
=True):
119 """Validate the specified TSIG rdata against the other input parameters.
121 @raises FormError: The TSIG is badly formed.
122 @raises BadTime: There is too much time skew between the client and the
124 @raises BadSignature: The TSIG signature did not validate
125 @rtype: hmac.HMAC object"""
127 (adcount
,) = struct
.unpack("!H", wire
[10:12])
129 raise dns
.exception
.FormError
131 new_wire
= wire
[0:10] + struct
.pack("!H", adcount
) + wire
[12:tsig_start
]
133 (aname
, used
) = dns
.name
.from_wire(wire
, current
)
134 current
= current
+ used
135 (upper_time
, lower_time
, fudge
, mac_size
) = \
136 struct
.unpack("!HIHH", wire
[current
:current
+ 10])
137 time
= ((upper_time
+ 0L) << 32) + (lower_time
+ 0L)
139 mac
= wire
[current
:current
+ mac_size
]
141 (original_id
, error
, other_size
) = \
142 struct
.unpack("!HHH", wire
[current
:current
+ 6])
144 other_data
= wire
[current
:current
+ other_size
]
145 current
+= other_size
146 if current
!= tsig_rdata
+ tsig_rdlen
:
147 raise dns
.exception
.FormError
150 raise PeerBadSignature
151 elif error
== BADKEY
:
153 elif error
== BADTIME
:
155 elif error
== BADTRUNC
:
156 raise PeerBadTruncation
158 raise PeerError('unknown TSIG error code %d' % error
)
159 time_low
= time
- fudge
160 time_high
= time
+ fudge
161 if now
< time_low
or now
> time_high
:
163 (junk
, our_mac
, ctx
) = sign(new_wire
, keyname
, secret
, time
, fudge
,
164 original_id
, error
, other_data
,
165 request_mac
, ctx
, multi
, first
, aname
)
170 def get_algorithm(algorithm
):
171 """Returns the wire format string and the hash module to use for the
172 specified TSIG algorithm
174 @rtype: (string, hash constructor)
175 @raises NotImplementedError: I{algorithm} is not supported
181 hashes
[dns
.name
.from_text('hmac-sha224')] = hashlib
.sha224
182 hashes
[dns
.name
.from_text('hmac-sha256')] = hashlib
.sha256
183 hashes
[dns
.name
.from_text('hmac-sha384')] = hashlib
.sha384
184 hashes
[dns
.name
.from_text('hmac-sha512')] = hashlib
.sha512
185 hashes
[dns
.name
.from_text('hmac-sha1')] = hashlib
.sha1
186 hashes
[dns
.name
.from_text('HMAC-MD5.SIG-ALG.REG.INT')] = hashlib
.md5
189 if sys
.hexversion
< 0x02050000:
190 # hashlib doesn't conform to PEP 247: API for
191 # Cryptographic Hash Functions, which hmac before python
192 # 2.5 requires, so add the necessary items.
193 class HashlibWrapper
:
194 def __init__(self
, basehash
):
195 self
.basehash
= basehash
196 self
.digest_size
= self
.basehash().digest_size
198 def new(self
, *args
, **kwargs
):
199 return self
.basehash(*args
, **kwargs
)
202 hashes
[name
] = HashlibWrapper(hashes
[name
])
206 hashes
[dns
.name
.from_text('HMAC-MD5.SIG-ALG.REG.INT')] = md5
.md5
207 hashes
[dns
.name
.from_text('hmac-sha1')] = sha
.sha
209 if isinstance(algorithm
, (str, unicode)):
210 algorithm
= dns
.name
.from_text(algorithm
)
212 if algorithm
in hashes
:
213 return (algorithm
.to_digestable(), hashes
[algorithm
])
215 raise NotImplementedError("TSIG algorithm " + str(algorithm
) +